The General Data Protection Regulation (GDPR) has been in effect since 25 May 2018, immediately seizing the attention of companies across the European Union as they baulked at the prospect of a €20 million fine.
Introduced against the backdrop of the Facebook-Cambridge Analytica scandal, the GDPR concerns data protection and privacy for all individuals within the European Union (EU) and the wider European Economic Area (EEA).
It is designed to give individuals more control over the handling of their personal information and not only imposes strict rules on the processing of data within the EU but also addresses the transfer of personal data outside of the EU and EEA.
No significant fines or sanctions have yet been imposed in the UK on any organisation for breaching the GDPR. However, the ruling in the recent 'Morrisons case' suggests a new trajectory for cases involving breaches of personal data and provides an insight into the types of claims that may become commonplace.
Vistra Corporate Law recognises that understanding the implications of the Morrisons case is vital for employers of all sizes. Having implemented appropriate policy documents and performed GDPR health checks for countless clients, we actively follow GDPR-related developments in order to keep our clients informed and protected.
The Morrisons Case
The Morrisons case is a landmark post-GDPR ruling which gives a first indication as to how Courts will deal with cases in which personal data has been unlawfully disclosed and to whom they're likely to assign blame. Despite the claim being made under the Data Protection Act 1998, the case is evidence of the seriousness with which data breaches are met and its implications are only heightened in light of the GDPR. The case is also the first class action suit made in respect of a data breach.
The case centred on a rogue Morrisons employee, Andrew Skelton, who released the personal data of nearly 100,000 Morrisons employees onto a file sharing website in early 2014. Mr Skelton worked as a senior internal auditor and had access to large volumes of personal data – specifically payroll data – which included home addresses and bank account details. Not only did Mr Skelton release the data in the public domain, he did so under the name of another employee.
Separate criminal proceedings found that Mr Skelton was motivated by a grudge he held against Morrisons which stemmed from an historical and unrelated disciplinary incident. He was jailed for eight years for fraud and data misuse. However, 5,518 employees subsequently brought litigation against Morrisons directly. Their claim was that Morrisons had both primary and vicarious liability for Mr Skelton's actions as his employer.
The High Court found that Mr Skelton's employment was directly linked to the disclosure of the personal information he was entrusted with. Morrisons deliberately tasked him with processing the personal data he released, had not managed the fallout of Mr Skelton's past disciplinary sanction and did not effectively assess the risk of providing a disgruntled employee with highly sensitive information.
In the eyes of the Court, there existed of a sufficient connection between Mr Skelton's actions and the course of his employment, meaning Morrisons was vicariously liable for his actions. The fact that Mr Skelton disclosed the data from his home computer and outside of his working hours was not deemed a significant enough factor to break the connection that existed between his employer and the data breach, nor was his motive to cause harm to Morrisons found relevant to the case.
The Court of Appeal upheld the original High Court decision of vicarious liability in October 2018; however, as of April 2019, Morrisons has been given permission to take its appeal to the UK Supreme Court.
What is for certain is that the case so far makes for uneasy reading for employers, who may now be liable for the misuse of personal data by a rogue employee even if they are otherwise compliant with the GDPR, and even if the wrongdoing was intended to damage them.
Steps to avoid a 'Morrisons case' situation
In its findings, the Court of Appeal indicated that the "solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees". In principle, businesses will be able to insure against the risk of an unauthorised data breach either through a public liability policy or a bespoke cyber insurance policy.
However, there is a risk that such policies may not fully cover a company's exposure. Malicious conduct, such as Mr Skelton's, may fall outside the scope of a standard cyber insurance policy. Insurers may also introduce exclusions following the decision in the Morrisons case and could also implement policy limits.
First and foremost, then, employers should examine internal procedures to protect themselves against financial liability as a consequence of data leaks. In addition to exploring insurance options, employers can take the following steps to proactively defend against a Morrisons case situation:
1. Risk assess key personnel who will
access personal data.
Have a robust recruitment process in place to identify individuals who are both qualified and responsible in their handling of personal data to directly reduce unintentional and unauthorised data breaches. Ensure that these duties are backed up by robustly drafted employment contracts and policies.
2. Restrict access to personal
Limiting the number of individuals with access to personal data will naturally decrease your exposure to risk. Only employees who require access to personal data to fulfil their duties should have it.
3. Implement appropriate policies and
data handling procedures.
All employers should have effective GDPR privacy notices and data protection policies in place. In addition, there should be robust technological safeguards such as the use of encryption to prevent unauthorised access to personal data. Where large data files are copied, sufficient monitoring should be in place to record and mitigate this.
4. Train employees on the consequences
of data breaches.
It should be made clear to your employees that it's not only you as an employer who can be liable for data breaches: liability extends to the employee and personal and criminal sanctions can also be imposed. Andrew Skelton received 8 years in prison for his role in the Morrisons data leak. Our commercial and employment teams at Vistra Corporate Law offer bespoke training for employees on their GDPR responsibilities. Effective training can significantly reduce the risk of personal data being leaked.
5. Monitor disaffected employees and
risk assess their responsibilities.
Employees who have raised grievances or been the subject of disciplinary action can become disaffected. In the Morrisons case, the employee had been disciplined and bore a grudge, but was still asked by the employer to handle significant amounts of employee data.
6. Keep records of data incidents and
implement breach notifications/response plans.
Recording every incident which centres on the dissemination of employee or customer personal data will help inform new policies and procedures, while efficiently responding to data breaches reduces their impact and could avoid any consequences entirely.
7. Review employees' use of
personal devices and introduce a Bring your own device
Blurring the lines between work and home can increase the likelihood of an unauthorised data breach. Having a robust policy in place can help to mitigate this risk.